What is ePHI?
Electronic protected health information (ePHI) is any PHI that is created, stored, transmitted, or received electronically. The HIPAA Security Rule has specific guidelines in place that dictate the means involved in assessing ePHI.
Media used to store data, including:
- Personal computers with internal hard drives used at work, home, or while traveling
- External portable hard drives
- Magnetic tape
- Removable storage devices, including USB drives, CDs, DVDs, and SD cards
- Smartphones and PDAs
Means of transmitting data via wi-fi, Ethernet, modem, DSL, or cable network connections including:
PHI and HIPAA
The HIPAA Privacy Rule provides federal protections for PHI that’s held by Covered Entities (CEs) and gives patients rights over that information, as well as guidance for healthcare organizations regarding how to protect PHI. The Privacy Rule allows PHI to be disclosed as a result of patient care, but has strict guidelines in place for maintaining the integrity and security of that information while it’s being stored or otherwise processed. There are specific measures within the Rule that require comprehensive administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of PHI is being properly maintained.
Data Storage, Cloud Storage, and ePHI
It’s important to note that HIPAA regulation treats data storage companies as Business Associates (BAs). The regulation accounts for the storage of physical and digital data, meaning that cloud storage services qualify as BAs even if the organization rarely, randomly, or never accesses or views the ePHI that they store.